How to Secure Joomla Website from Brute Force Attacks?

Joomla is the second largest open-source CMS platform powering millions of websites from small to enterprise level.

There are many techniques used by a hacker to attack a site, and one of the popular ones is Brute Force Attacks.

As you can see, it stands out as the fifth position in the latest report by WhiteHat Security.

Brute Force can happen to any other platform like WordPress, Magento, Drupal, or even the server OS. Technically, any platform/service, API, etc. which is password protected, can be a victim of brute force attacks.

The good news is mitigating brute force attacks, not as hard as other vulnerabilities.

If you are running your blog, business website, eCommerce on Joomla CMS, and looking for a Brute Force mitigation solution, then the following will help you.

Admin Brute Force Protection

Admin brute force protection is a FREE plugin by SiteGuarding to protect /administrator login against bots and scripts login.


AminExile is one of the most highly rated security plugins, which lets you do many things to protect the Joomla website.

  • Add access key – include extra key in Joomla administrator URL
  • Add key-value – include key and value in administrator URL

Block the login request if brute force detected by detecting max attempts and the option to notify admin by email.


SUCURI Firewall is an all-in-one cloud-based security provider to protect a multi-platform website from brute force attacks, bad bots, DDoS attacks, SPAM, SQL injection, etc.

If you are looking for comprehensive Joomla security solution, then SUCURI would be a good choice. It runs on a globally distributed anycast network, which means you get protection and enjoy the global CDN performance optimization.

Brute Force Stop

Brute Force Stop is another FREE extension that lets you configure the block threshold & block duration.

  • Block threshold – after how many attempts the IP will be blocked
  • Block duration – for how long the IP will be in the block list

You also have an option to configure the blocked message, configure a notification, etc.

Enable Two-Factor Authentication

Starting from Joomla 3.2, let you enable two-factor authentication with Google Authenticator & YubiKey authentication method without installing any additional plugin.

2-factor authentication cut down the brute force attempts and one of the best ways to add a layer of login security.

RS Firewall

RS Firewall is a premium security extension to secure the Joomla website from the following vulnerabilities include brute force attacks.

  • SQL injection
  • Cross-site scripting
  • Local file intrusion
  • Malware
  • Spam

You can enable to log all the blocked attempts so you can review the logs and permanently block suspicious IP if needed.

RS Firewall also gives you an option to block continents and countries.

You may also consider the following extensions.

Akeeba Admin Tools – a premium extension to maintain, protect, and optimize the Joomla website.

Limit Login Attempts – free plugin to limit login attempts, block IP, limit lockout, lockout notification email, etc.

DMC Firewall – password protects the administrator folder, performs a health check, ban suspicious IP, etc.

Cloudflare WAF

Cloudflare is one of the popular CDN & cloud-based Security solution providers for any websites.

The FREE Plan offers basic security; however, if you are ready to spend a few dollars, then you can go with PRO plan, which comes with many other features with cloud-based WAF, including brute force protection.

Brute force can be dangerous as it may take your online business down for a financial and reputational loss. I hope the above solution helps you to protect your Joomla web site from Brute Force attacks.

Stay secured!

Rate this post